DTS-37340 Develop : codeql log injection issue fix for Marriott

common/src/main/java/com/publicissapient/kpidashboard/common/controller/RunProcessorController.java

@@ -60,9 +60,6 @@ public ResponseEntity<Map> runProcessorForProjects(
 		ExecutionLogContext.set(processorExecutionBasicConfig.getLogContext());
 		MDC.put("Processor Name", jobExecuter.getProcessor().getProcessorName());
 		MDC.put("RequestStartTime", String.valueOf(System.currentTimeMillis()));
-		log.info("Received request to run the processor: {} for projects {}",
-				jobExecuter.getProcessor().getProcessorName(),
-				processorExecutionBasicConfig.getProjectBasicConfigIds());
 
 		jobExecuter.setProjectsBasicConfigIds(processorExecutionBasicConfig.getProjectBasicConfigIds());
 		jobExecuter.setExecutionLogContext(ExecutionLogContext.getContext());

common/src/main/java/com/publicissapient/kpidashboard/common/service/ProcessorExecutionTraceLogServiceImpl.java

@@ -47,12 +47,6 @@ public class ProcessorExecutionTraceLogServiceImpl implements ProcessorExecution
 
 	@Override
 	public void save(ProcessorExecutionTraceLog processorExecutionTracelog) {
-		log.info(
-				"last execution time of {} for project {} is {}. status is {} and lastSuccessfulRun is {} and LastEnableAssigneeToggleState is {} ",
-				processorExecutionTracelog.getProcessorName(), processorExecutionTracelog.getBasicProjectConfigId(),
-				processorExecutionTracelog.getExecutionEndedAt(), processorExecutionTracelog.isExecutionSuccess(),
-				processorExecutionTracelog.getLastSuccessfulRun(),
-				processorExecutionTracelog.isLastEnableAssigneeToggleState());
 
 		Optional<ProcessorExecutionTraceLog> existingTraceLogOptional = processorExecutionTraceLogRepository
 				.findByProcessorNameAndBasicProjectConfigId(processorExecutionTracelog.getProcessorName(),

customapi/src/main/java/com/publicissapient/kpidashboard/apis/appsetting/rest/EditKpiConfigController.java

@@ -62,7 +62,7 @@ public class EditKpiConfigController {
 	@RequestMapping(value = "/jira/editKpi/{projectBasicConfigId}/{kpiCode}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE) // NOSONAR
 	public ResponseEntity<ServiceResponse> fetchTypeValues(@PathVariable String projectBasicConfigId,
 			@PathVariable String kpiCode) {
-		projectBasicConfigId = CommonUtils.handleCrossScriptingTaintedValue(projectBasicConfigId);
+		projectBasicConfigId = CommonUtils.sanitizeUserInput(projectBasicConfigId);
 		kpiCode = CommonUtils.handleCrossScriptingTaintedValue(kpiCode);
 		log.info("Fetching data in KPI edit configuration for :{}", projectBasicConfigId);
 		Map<String, List<MetadataValue>> data = editKpiConfigService.getDataForType(projectBasicConfigId, kpiCode);

customapi/src/main/java/com/publicissapient/kpidashboard/apis/auth/rest/ForgotPasswordController.java

@@ -26,6 +26,7 @@
 import java.net.UnknownHostException;
 import java.util.UUID;
 
+import com.publicissapient.kpidashboard.apis.util.CommonUtils;
 import org.apache.commons.lang.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
@@ -95,7 +96,6 @@ public class ForgotPasswordController {
 	public ResponseEntity<ServiceResponse> processForgotPassword(@RequestBody ForgotPasswordRequest request,
 			HttpServletRequest httpServletRequest) {
 		boolean isSuccess = false;
-		log.info("ForgotPasswordController: requested mail {}", request.getEmail());
 		Authentication authentication = null;
 		try {
 			String serverPath = httpServletRequest.getScheme() + getApiHost() + httpServletRequest.getContextPath();
@@ -109,7 +109,7 @@ public ResponseEntity<ServiceResponse> processForgotPassword(@RequestBody Forgot
 			return ResponseEntity.ok().body(new ServiceResponse(isSuccess, "Success", authentication));
 		} catch (UnknownHostException e) {
 			log.error("UnknownHostException", e);
-			log.error("ForgotPasswordController: Mail can not be sent to {}", request.getEmail());
+			log.error("ForgotPasswordController: Mail can not be sent to {}", CommonUtils.sanitizeUserInput(request.getEmail()));
 			return ResponseEntity.badRequest().body(new ServiceResponse(isSuccess, "logError", null));
 		}
 	}

customapi/src/main/java/com/publicissapient/kpidashboard/apis/auth/service/ForgotPasswordServiceImpl.java

@@ -87,7 +87,6 @@ public class ForgotPasswordServiceImpl implements ForgotPasswordService {
 	 */
 	@Override
 	public Authentication processForgotPassword(String email, String url) {
-		log.info("ForgotPasswordServiceImpl: Requested mail {}", email);
 		Authentication authentication = getEmailExistsInDB(email);
 		if (authentication != null) {
 			String token = createForgetPasswordToken(authentication);

customapi/src/main/java/com/publicissapient/kpidashboard/apis/autoapprove/rest/AutoApproveAccessController.java

@@ -66,15 +66,13 @@ public ResponseEntity<ServiceResponse> modifyAutoApprovConfigById(@PathVariable(
 			@Valid @RequestBody AutoApproveAccessConfigDTO autoAcessDTO) {
 		ModelMapper modelMapper = new ModelMapper();
 		AutoApproveAccessConfig autoApproveRole = modelMapper.map(autoAcessDTO, AutoApproveAccessConfig.class);
-
 		if (!ObjectId.isValid(id)) {
 			log.info("Id not valid");
 			return ResponseEntity.status(HttpStatus.OK).body(new ServiceResponse(false,
 					"access_request@" + id + " does not exist", Arrays.asList(autoAcessDTO)));
 		}
 
 		AutoApproveAccessConfig autoApproveData = autoApproveService.modifyAutoApprovConfigById(id, autoApproveRole);
-		log.info("Modifying request@{}", id);
 		return ResponseEntity.status(HttpStatus.OK)
 				.body(new ServiceResponse(true, "modified access_request@" + id, Arrays.asList(autoApproveData)));
 	}

customapi/src/main/java/com/publicissapient/kpidashboard/apis/azure/rest/AzureController.java

@@ -2,6 +2,7 @@
 
 import java.util.List;
 
+import com.publicissapient.kpidashboard.apis.util.CommonUtils;
 import org.apache.commons.collections4.CollectionUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
@@ -35,6 +36,7 @@ public class AzureController {
 	public ResponseEntity<ServiceResponse> getAzurePipelineNameAndDefinitionIdList(@PathVariable String connectionId,
 			@PathVariable String version) {
 		ServiceResponse response;
+		version = CommonUtils.sanitizeUserInput(version);
 		List<AzurePipelinesResponseDTO> pipelinesResponseList = azureToolConfigService
 				.getAzurePipelineNameAndDefinitionIdList(connectionId, version);
 		if (CollectionUtils.isEmpty(pipelinesResponseList)) {

customapi/src/main/java/com/publicissapient/kpidashboard/apis/azure/service/AzureToolConfigServiceImpl.java

@@ -6,6 +6,7 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import com.publicissapient.kpidashboard.apis.util.CommonUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.bson.types.ObjectId;
 import org.json.simple.JSONArray;
@@ -73,6 +74,11 @@ public List<AzurePipelinesResponseDTO> getAzurePipelineNameAndDefinitionIdList(S
 			try {
 				connectionService.validateConnectionFlag(connection);
 				HttpEntity<?> httpEntity = new HttpEntity<>(restAPIUtils.getHeaders(username, password));
+				// Validate the constructed URL
+				if (!CommonUtils.isValidUrl(finalUrl)) {
+					log.error("Invalid URL: {}", finalUrl);
+					return responseList;
+				}
 				ResponseEntity<String> response = restTemplate.exchange(finalUrl, HttpMethod.GET, httpEntity,
 						String.class);
 
@@ -88,13 +94,13 @@ public List<AzurePipelinesResponseDTO> getAzurePipelineNameAndDefinitionIdList(S
 					}
 				} else {
 					String statusCode = response.getStatusCode().toString();
-					log.error("Error while fetching ProjectsAndPlanKeyList from {}. with status {}", finalUrl,
+					log.error("Error while fetching ProjectsAndPlanKeyList from {}. with status {}", CommonUtils.sanitizeUserInput(finalUrl),
 							statusCode);
 				}
 
 			} catch (Exception exception) {
 				isClientException(connection, exception);
-				log.error("Error while fetching ProjectsAndPlanKeyList from {}:  {}", finalUrl, exception.getMessage());
+				log.error("Error while fetching ProjectsAndPlanKeyList from {}:  {}", CommonUtils.sanitizeUserInput(finalUrl), exception.getMessage());
 			}
 		}
 		return responseList;

customapi/src/main/java/com/publicissapient/kpidashboard/apis/bamboo/rest/BambooController.java

@@ -2,6 +2,7 @@
 
 import java.util.List;
 
+import com.publicissapient.kpidashboard.apis.util.CommonUtils;
 import org.apache.commons.collections4.CollectionUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
@@ -56,6 +57,7 @@ public ResponseEntity<ServiceResponse> getBambooProjectsAndPlanKeys(@PathVariabl
 	public ResponseEntity<ServiceResponse> getBambooBranchesNameAndKeys(@PathVariable String connectionId,
 			@PathVariable String jobNameKey) {
 		ServiceResponse response;
+		jobNameKey = CommonUtils.sanitizeUserInput(jobNameKey);
 		List<BambooBranchesResponseDTO> projectKeyList = bambooToolConfigService
 				.getBambooBranchesNameAndKeys(connectionId, jobNameKey);
 		if (CollectionUtils.isEmpty(projectKeyList)) {

customapi/src/main/java/com/publicissapient/kpidashboard/apis/bamboo/service/BambooToolConfigServiceImpl.java

@@ -23,6 +23,7 @@
 import com.publicissapient.kpidashboard.apis.bamboo.model.BambooDeploymentProjectsResponseDTO;
 import com.publicissapient.kpidashboard.apis.bamboo.model.BambooPlansResponseDTO;
 import com.publicissapient.kpidashboard.apis.connection.service.ConnectionService;
+import com.publicissapient.kpidashboard.apis.util.CommonUtils;
 import com.publicissapient.kpidashboard.apis.util.RestAPIUtils;
 import com.publicissapient.kpidashboard.common.exceptions.ClientErrorMessageEnum;
 import com.publicissapient.kpidashboard.common.model.connection.Connection;
@@ -114,6 +115,12 @@ public List<BambooBranchesResponseDTO> getBambooBranchesNameAndKeys(String conne
 			String url = String.format(new StringBuilder(baseUrl).append(RESOURCE_BRANCH_ENDPOINT).toString(),
 					jobNameKey);
 
+			// Validate the constructed URL
+			if (!CommonUtils.isValidUrl(url)) {
+				log.error("Invalid URL: {}", url);
+				return responseDTOList;
+			}
+
 			HttpEntity<?> httpEntity = new HttpEntity<>(restAPIUtils.getHeaders(username, password));
 			try {
 				connectionService.validateConnectionFlag(connection);
@@ -133,19 +140,20 @@ public List<BambooBranchesResponseDTO> getBambooBranchesNameAndKeys(String conne
 
 	/**
 	 * this method is used to call the api to get branches
+	 * 
 	 * @param responseDTOList
 	 * @param url
 	 * @param httpEntity
 	 * @throws ParseException
 	 */
-	private void apiCallToGetBranches(List<BambooBranchesResponseDTO> responseDTOList, String url, HttpEntity<?> httpEntity) throws ParseException {
+	private void apiCallToGetBranches(List<BambooBranchesResponseDTO> responseDTOList, String url,
+			HttpEntity<?> httpEntity) throws ParseException {
 		ResponseEntity<String> response = restTemplate.exchange(url, HttpMethod.GET, httpEntity, String.class);
 		if (response.getStatusCode() == HttpStatus.OK) {
 			parseBranchesResponse(responseDTOList, response);
 		} else {
 			String statusCode = response.getStatusCode().toString();
-			log.error("Error while fetching BambooBranchesNameAndKeys from {}. with status {}", url,
-					statusCode);
+			log.error("Error while fetching BambooBranchesNameAndKeys from {}. with status {}", url, statusCode);
 		}
 	}
 

customapi/src/main/java/com/publicissapient/kpidashboard/apis/bitbucket/rest/BitBucketController.java

@@ -76,7 +76,7 @@ public class BitBucketController {
 	public ResponseEntity<List<KpiElement>> getBitBucketAggregatedMetrics(@NotNull @RequestBody KpiRequest kpiRequest)
 			throws Exception { // NOSONAR
 		MDC.put("BitbucketKpiRequest", kpiRequest.getRequestTrackerId());
-		log.info("Received BitBucket KPI request {}", kpiRequest);
+
 		long bitbucketRequestStartTime = System.currentTimeMillis();
 		MDC.put("BitbucketRequestStartTime", String.valueOf(bitbucketRequestStartTime));
 		cacheService.setIntoApplicationCache(Constant.KPI_REQUEST_TRACKER_ID_KEY + KPISource.BITBUCKET.name(),
@@ -111,7 +111,7 @@ public ResponseEntity<List<KpiElement>> getBitBucketAggregatedMetrics(@NotNull @
 	public ResponseEntity<List<KpiElement>> getBitBucketKanbanAggregatedMetrics(
 			@NotNull @RequestBody KpiRequest kpiRequest) throws Exception { // NOSONAR
 		MDC.put("BitbucketKpiRequest", kpiRequest.getRequestTrackerId());
-		log.info(" Received BitBucket KPI request {}", kpiRequest);
+
 		long bitbucketKanbanRequestStartTime = System.currentTimeMillis();
 		MDC.put("BitbucketKanbanRequestStartTime", String.valueOf(bitbucketKanbanRequestStartTime));
 		cacheService.setIntoApplicationCache(Constant.KPI_REQUEST_TRACKER_ID_KEY + KPISource.BITBUCKETKANBAN.name(),

customapi/src/main/java/com/publicissapient/kpidashboard/apis/bitbucket/service/BitBucketServiceKanbanR.java

@@ -83,8 +83,6 @@ public class BitBucketServiceKanbanR {
 	@SuppressWarnings("unchecked")
 	public List<KpiElement> process(KpiRequest kpiRequest) throws EntityNotFoundException {
 
-		log.info("[BITBUCKET KANBAN][{}]. Processing KPI calculation for data {}", kpiRequest.getRequestTrackerId(),
-				kpiRequest.getKpiList());
 		List<KpiElement> responseList = new ArrayList<>();
 		String[] kanbanProjectKeyCache = null;
 		try {
@@ -111,8 +109,6 @@ public List<KpiElement> process(KpiRequest kpiRequest) throws EntityNotFoundExce
 					KPISource.BITBUCKETKANBAN.name(), groupId, null);
 			if (!kpiRequest.getRequestTrackerId().toLowerCase().contains(KPISource.EXCEL.name().toLowerCase())
 					&& null != cachedData) {
-				log.info("[BITBUCKET KANBAN][{}]. Fetching value from cache for {}", kpiRequest.getRequestTrackerId(),
-						kpiRequest.getIds());
 				return (List<KpiElement>) cachedData;
 			}
 
@@ -126,12 +122,12 @@ public List<KpiElement> process(KpiRequest kpiRequest) throws EntityNotFoundExce
 
 		} catch (EntityNotFoundException enfe) {
 
-			log.error("[BITBUCKET KANBAN][{}]. Error while KPI calculation for data. No data found {} {}",
-					kpiRequest.getRequestTrackerId(), kpiRequest.getKpiList(), enfe);
+			log.error("[BITBUCKET KANBAN][{}]. Error while KPI calculation for data. No data found {}",
+					kpiRequest.getRequestTrackerId(), enfe);
 			throw enfe;
 		} catch (ApplicationException e) {
-			log.error("[BITBUCKET KANBAN][{}]. Error while KPI calculation for data {} {}",
-					kpiRequest.getRequestTrackerId(), kpiRequest.getKpiList(), e);
+			log.error("[BITBUCKET KANBAN][{}]. Error while KPI calculation for data {}",
+					kpiRequest.getRequestTrackerId(), e);
 			throw new HttpMessageNotWritableException(e.getMessage(), e);
 		}
 

customapi/src/main/java/com/publicissapient/kpidashboard/apis/bitbucket/service/BitBucketServiceR.java

@@ -72,8 +72,6 @@ public class BitBucketServiceR {
 	@SuppressWarnings("unchecked")
 	public List<KpiElement> process(KpiRequest kpiRequest) throws EntityNotFoundException {
 
-		log.info("[BITBUCKET][{}]. Processing KPI calculation for data {}", kpiRequest.getRequestTrackerId(),
-				kpiRequest.getKpiList());
 		List<KpiElement> origRequestedKpis = kpiRequest.getKpiList().stream().map(KpiElement::new)
 				.collect(Collectors.toList());
 		List<KpiElement> responseList = new ArrayList<>();
@@ -99,8 +97,6 @@ public List<KpiElement> process(KpiRequest kpiRequest) throws EntityNotFoundExce
 					groupId, kpiRequest.getSprintIncluded());
 			if (!kpiRequest.getRequestTrackerId().toLowerCase().contains(KPISource.EXCEL.name().toLowerCase())
 					&& null != cachedData) {
-				log.info("[BITBUCKET][{}]. Fetching value from cache for {}", kpiRequest.getRequestTrackerId(),
-						kpiRequest.getIds());
 				return (List<KpiElement>) cachedData;
 			}
 
@@ -125,8 +121,7 @@ public List<KpiElement> process(KpiRequest kpiRequest) throws EntityNotFoundExce
 		}
 
 		} catch (Exception e) {
-			log.error("[BITBUCKET][{}]. Error while KPI calculation for data {} {}", kpiRequest.getRequestTrackerId(),
-					kpiRequest.getKpiList(), e);
+			log.error("[BITBUCKET][{}]. Error while KPI calculation for data {}", kpiRequest.getRequestTrackerId(), e);
 			throw new HttpMessageNotWritableException(e.getMessage(), e);
 		}
 

customapi/src/main/java/com/publicissapient/kpidashboard/apis/capacity/rest/CapacityMasterController.java

@@ -4,6 +4,7 @@
 
 import javax.validation.Valid;
 
+import com.publicissapient.kpidashboard.apis.util.CommonUtils;
 import org.apache.commons.collections4.CollectionUtils;
 import org.bson.types.ObjectId;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -75,7 +76,7 @@ public ResponseEntity<ServiceResponse> addCapacity(@RequestBody CapacityMaster c
 	@GetMapping("/{basicProjectConfigId}")
 	public ResponseEntity<ServiceResponse> getCapacities(@PathVariable String basicProjectConfigId) {
 		ServiceResponse response = null;
-
+		basicProjectConfigId = CommonUtils.sanitizeUserInput(basicProjectConfigId);
 		List<CapacityMaster> capacities = capacityMasterService.getCapacities(basicProjectConfigId);
 		if (CollectionUtils.isNotEmpty(capacities)) {
 			response = new ServiceResponse(true, "Capacity Data", capacities);

customapi/src/main/java/com/publicissapient/kpidashboard/apis/comments/service/CommentsServiceImpl.java

@@ -83,7 +83,6 @@ public Map<String, Object> findCommentByKPIId(String node, String level, String
 			mappedCollection.put("kpiId", kpiId);
 			mappedCollection.put("CommentsInfo", finalCommentsInfo);
 		}
-		log.info("Final filter comments of matching kpiId {}", mappedCollection);
 		return mappedCollection;
 	}
 
@@ -151,8 +150,6 @@ public List<CommentViewResponseDTO> findLatestCommentSummary(List<String> nodes,
 	 */
 	@Override
 	public boolean submitComment(CommentSubmitDTO comment) {
-
-		log.debug("CommentSubmitDTO info {}", comment);
 		List<CommentsInfo> commentsInfo = comment.getCommentsInfo();
 		if (CollectionUtils.isNotEmpty(commentsInfo)) {
 			for (CommentsInfo commentInfo : commentsInfo) {

customapi/src/main/java/com/publicissapient/kpidashboard/apis/common/rest/KPIExcelDataController.java

@@ -75,8 +75,8 @@ public ResponseEntity<KPIExcelValidationDataResponse> getValidationKPIData(HttpS
 		Boolean isApiAuth = StringUtils.isNotEmpty(
 				apiKey) && apiKey.equalsIgnoreCase(request.getHeader(Constant.TOKEN_KEY));
 		String kpiRequestStr = kpiRequest.toString();
-		kpiID = CommonUtils.handleCrossScriptingTaintedValue(kpiID);
-		kpiRequestStr = CommonUtils.handleCrossScriptingTaintedValue(kpiRequestStr);
+		kpiID = CommonUtils.sanitizeUserInput(kpiID);
+		kpiRequestStr = CommonUtils.sanitizeUserInput(kpiRequestStr);
 		log.info("[KPI-EXCEL-DATA][]. Received Specific Excel KPI Data request for {} with kpiRequest {}", kpiID,
 				kpiRequestStr);
 

customapi/src/main/java/com/publicissapient/kpidashboard/apis/common/service/impl/CacheServiceImpl.java

@@ -79,7 +79,7 @@ public void clearCache(String cacheName) {
 		if (cache != null) {
 			cache.clear();
 			cache.evict(cacheName);
-			log.info("Clearing Cache ==>> {}", cacheName);
+			log.info("Clearing Cache ==>> {}", CommonUtils.sanitizeUserInput(cacheName));
 		}
 	}
 

customapi/src/main/java/com/publicissapient/kpidashboard/apis/config/CorsFilter.java

@@ -108,7 +108,6 @@ private Boolean validateOriginWithWhitelist(List<String> originWhiteList, Boolea
 			throws MalformedURLException {
 		Boolean result = theResult;
 		String originHost = new URL(origin).getHost();
-		log.debug("value of orignHost : {}", originHost);
 		for (String allowedOrigin : originWhiteList) {
 			if (StringUtils.equalsIgnoreCase(originHost, allowedOrigin)) {
 				result = Boolean.TRUE;

customapi/src/main/java/com/publicissapient/kpidashboard/apis/connection/rest/ConnectionController.java

@@ -20,6 +20,7 @@
 
 import javax.validation.Valid;
 
+import com.publicissapient.kpidashboard.apis.util.CommonUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.modelmapper.ModelMapper;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -71,6 +72,7 @@ public class ConnectionController {
 	@PreAuthorize("hasPermission(#type,'CONNECTION_ACCESS')")
 	public ResponseEntity<ServiceResponse> getAllConnection(
 			@RequestParam(name = "type", required = false) String type) {
+		type = CommonUtils.sanitizeUserInput(type);
 		if (StringUtils.isEmpty(type)) {
 			log.info("Fetching all connection");
 			return ResponseEntity.status(HttpStatus.OK).body(connectionService.getAllConnection());
@@ -115,7 +117,6 @@ public ResponseEntity<ServiceResponse> saveConnectionDetails(@RequestBody Connec
 	@PreAuthorize("hasPermission(#id,'CONNECTION_ACCESS')")
 	public ResponseEntity<ServiceResponse> modifyConnectionById(@PathVariable String id,
 			@Valid @RequestBody ConnectionDTO connectionDTO) {
-		log.info("conn@{} updated", connectionDTO.getId());
 		final ModelMapper modelMapper = new ModelMapper();
 		final Connection conn = modelMapper.map(connectionDTO, Connection.class);
 		return ResponseEntity.status(HttpStatus.OK).body(connectionService.updateConnection(id, conn));